PKI for Dummies

PKI, or Public Key Infrastructure, employs asymmetric cryptography to sign and encrypt various items. Asymmetric means that you use different keys for encryption and decryption, as opposed to a single key for each operation (symmetric cryptography). There is a private key which is typically password protected and that (theoretically) only you have access to. The public key is publicly accessible by anyone. Anything encrypted by the private key can be decrypted by the public key, and vice versa.

This is pretty easy to picture when it comes to encrypting data, but usually trips people up when trying to imagine how this equates to a digital signature. A digital signature uses this asymmetric principle to verify that the content was both unaltered, and authored by the owner of the private key. This process works by generating a fingerprint from the data to be validated using a basic algorithm (MD5, etc), and then encrypting that fingerprint with your private key, and attaching this to the object being sent. The recipient then receives this document, and if they are able to decrypt the encrypted attachment, then they have just validated this this data came from you, and nobody else. Then their computer generates the same fingerprint from the received data, and compares it to the fingerprint that was sent as an attachment. If these 2 fingerprints match, then they can infer that the data was not altered in transit. If the fingerprints do not match, the opposite is true.

Certificate trust is another important thing. Theoretically, anybody can generate certificates, but how do we trust them? It is meaningless if a certificate proves a person's identity if there is no trust behind it. It's like going to a bar, and showing the bouncer a piece of paper that says "I'm over 21. Trust me". The bouncer will probably throw you outside, beat the crap out of you, tell you never to come back, call the cops, get some other buddies to kick you while you are on the ground, spit on you a few times, and then the cops will tell them to stop. You might then get arrested, taken to jail, beat up some more there because you are there with hardened criminals who have (allegedly) committed more violent offences and view your transgressions of using a fake ID as being weak and an easy target. So how do we prevent this scenario in the digital realm with certificates? It's all about trust.

You prove your identity to a large trustworthy corporation that specializes in certificate management. They then issue you a certificate after they have validated your identity. A person who sees your certificate is able to see this chain of trust, meaning they can see the root certification authority (CA) that issues you the certificate. They then check the validity of your cert with the CA, and if all comes back well, then you are all trusted and good to go. If your certificate gets stolen, the CA may revoke your certificate and put it on a revocation list, so that next time your certificate trust is audited, it will fail and come back untrustworthy.

This same thing happens in real life with state or government issued IDs. Back to the bar scenario. If you have an identification card issued by your local government, this is trusted, because the person inspecting it trusts that the state government performed accurate validation of your identity before issuing you your ID card/driver's license. The bouncer acknowledges the trust of the issuing source, and may then inspect it for authenticity by looking for the security watermarks/holograms/windows into other dimensions. If this all checks out, the bouncer will allow you into the bar to get as wasted as you want with your friends, or possibly all alone as you sit lonely at the bar, wishing that you had more friends to get drunk with or that the cute girl at the end of the bar wasn't with some arrogant prick who obviously cheats on her. If only they wanted you. GOOD DAY!